Loading Profile...
As far as I understand, the Ghostery browser for Android is using the rendering engine built into Android, WebView? Does that make anybody using your browser with Android 4.3 or older vulnerable to the known security flaws of WebView? Since Google is not going to patch WebView for older Android versions, shouldn't a "privacy/safety"-aware browser use a safe rendering engine? Until such product change is implemented, I believe any users of the older Android versions should be recommended to use Firefox for Android in combination with your Firefox plugin rather than the stand-alone browser?
PS: There is no "Related product" category for the Android Privacy Browser here on the feedback post form.
Help get this topic noticed by sharing it on
Twitter,
Facebook, or email.
Twitter,
Facebook, or email.
I’m
slighly concerned
Ghostery browser for Android: WebView vulnerabilities on Android <v4.4?
-
Dear Ghostery team, just checking in: has this one slipped through as a lot of newer threads have already received answers? I am a big fan of your product and loved the slick, straightforward Android Privacy Browser. Yet, I had to uninstall it for safety concerns on my Android 4.2 and revert to the sluggish Firefox and your FF plugin.
Are above-mentioned concerns valid? Thank you.Comment -
-
Hey Bernhard,
There are three webview vulnerabilities that I am aware of in the WebView:
1 is a vulnerability with addJavascriptInterface, which we do not use at the moment so we are not vulnerable to that. (If we do ever use it, the new features that are added will not be enabled on 4.2 and lower because of this vulnerability):
http://www.cvedetails.com/cve/2012-6636
2 A vulnerability that lets an iframe on a page look into other frames on the page that it would normally not have access to because they have different domains. So if an attacker somehow got their code to be included on a page that you visit, they could inspect everything that is on the page and send it home to their servers. Ghostery is vulnerable to this attack:
http://www.cvedetails.com/cve/CVE-201...
3 is the recent FREAK vulnerability. It allows someone who is intercepting your https traffic to force you to use a weaker encryption method that can be broken give enough time. This one can be fixed on either the client or the server side. If the server doesn't accept the weaker encryption (which a lot of websites stopped accepting when this bug was revealed) then the client won't use it when communicating with the website and won't be vulnerable. The webview itself is vulnerable on android 4.4 and below though, so if you are visiting a server that hasn't fixed itself then you are vulnerable to this sort of attack:
https://securityblog.redhat.com/2015/...
So yes, the Android WebView that Ghostery is built on is vulnerable to #2 on s fault really. I believe they have released fixes for all of these, however it is up to cell carriers (Verizon, AT&T, etc) to actually release an update for the operating systems on all these phones. Which they are most likely not going to do.
So if you are on any affected version and are worried about these issues, I would definitely recommend that you use Firefox with Ghostery instead of the Ghostery browser. -
